Cyber War Pt 2: Unintended Consequences

This follow up to ‘Cyber War – Real Time View‘ delves slightly deeper, and examines the possibility of ‘unintended consequences’

NORSE ScreenShot
Another view of attacks, again from security company Norse.

There are two important aspects regarding these images:

1. The people behind the attacks are not necessarily residing or even acting from the country the attacks appear to come from. As was noted last time, ‘this is a war without frontiers, uniforms, or even a clearly defined enemy’. Its important not to view this as one country versus another country type of war. It’s far more subtle than that.

2. The map mainly serves so show the scale and type of the attacks as monitored by Norse. It is not a complete picture of all worldwide threats. It under-reports because it doesn’t include attacks on sites that aren’t monitored by Norse. Other security companies will have similar maps that aren’t publicly available. Without access to that data, the real scale of intrusion attempts cannot be accurately assessed.

Many of these attacks are simply about theft. Data is money, and attackers are looking to steal private data to sell on to willing buyers.

The theft from ‘Target Stores’ in 2013 involved 40 million credit cards, and 70 million customer details. It was estimated that between 1 to 3 million card details were sold on by the thieves, netting around $54 million

Target aren’t alone, these have been subject to a large scale loss of data in 2014;
Staples – 1.16 million cards, Michaels (retail chain) – 2.6 million cards, Home Depot – 56 million cards and 53 million email addresses, Sony – Theft of 5 unreleased films, and 47k Social security numbers (including 15k staff) many will full personal details, JP Morgan Chase – 76 million households and 7 million small businesses data, and New York’s Attorney General advised that over 8 years, 22.8 million private records were exposed.

However, its not always about theft.

Industrial espionage or malicious intent can be the motives, such as disrupting a company or organization’s operations, sometimes re-routing or delaying the logistics chain. There is also the example from 2013 where drug dealers hacked the Belgium Antwerp port computers, with the intent to smuggle drugs into the country.

Probably the most public malicious attack was the Stuxnet worm, (2008-2010). An infected USB stick delivered a payload intended to achieve a very specific result, and targeted only the Siemens devices that controlled the Iranian centrifuges used for uranium enrichment. It’s believed that 20% of the Iranian centrifuges were destroyed by Stuxnet.

The worm was later confirmed to be a joint USA / Israeli operation, and although achieving its objective, it wasn’t without problems. The worm was designed not to travel outside the the nuclear facility. However an error in the code allowed the worm to replicate and spread all over the internet. It was claimed that no ‘unintended consequences’ occurred as a result, but some reports suggest otherwise. The Russians claimed that their nuclear facility was infected with the worm and, in the UK, a French owned nuclear reactor unexpectedly shut down. EDF confirmed that the reactor also used Siemens controllers, but denied that the Stuxnet virus was involved. In a secret war, how would we ever know?

However, whatever the truth, it does appear that no catastrophic events occurred. Will we be so lucky the next time, when the people who design malicious code fail to grasp the significance of the unintended consequences of their work?

This attack highlighted how unprepared countries and organisations are to defend or respond to such action. It also showed how catastrophic unintended consequences might occur.

Most of all, it showed the potential of Cyber-warfare – the ability to collapse complex infrastructures.

Similar malware could cause havoc if allowed to infiltrate the computers in large corporations or infrastructure such as Power, Water or Communications.

This isn’t a war in which people are merely spectators. In many cases they are the players. Often the doors are left open by the users themselves.

A major retail chain suffered a crippling attack last December, during a peak trading period. Despite having invested in an extensive central security team, it transpired that a senior director had download porn onto his work computer and unwittingly introduced the malware into his business.

Many intrusions occur because an individual had a lapse with their own security. One intrusion technique is APT (Advanced Persistent Threats) where a specific individual is identified, and then repeatedly targeted with the expectation that eventually one intrusion will be successful.

‘Security should be viewed as a shared responsibility that reaches well beyond the traditional view of it residing in a single department.’ …Senior Director NTT Com Security

This should be the standard thinking, but it’s far from it.

Security is not ‘configure and forget’. It requires constant monitoring and user interventions. Often the simple solutions are most effective.

Around 60% of attacks on web applications in the UK are ‘SQL injection‘, typically exploiting known vulnerabilities in software. It’s not reported how many are successful, but since NTT Com Security research shows that 76% of known vulnerabilities identified in Businesses were over 2 years old, its not hard to see why they are so popular with attackers. The simple act of regularly updating operating systems and applications would block them.

Everyone has responsibility for computer security.

When the lights go out, or communications fail, or water fails to run out of the tap, it’s quite possible that someone, somewhere enabled the malware intrusion by downloading some forbidden file onto their PC without first considering the possible ‘unintended consequences’.

That might be all it takes.

 

 

Advertisements

4 Comments

Filed under Privacy, Technology

4 responses to “Cyber War Pt 2: Unintended Consequences

  1. dpack

    social engineering can bypass most security,one excellent example is a cd on the car park tarmac in the morning labeled “payroll 2015” in felt tip pen.viewed by the finder or handed in and viewed by accounts the result can be the same.

    open in sandbox is a good option with any external media .

    • daedalus

      More social engineering:
      Rcall the screen saver ‘Johnny Castaway’?

      Where I worked in the late 1990’s, virtually every PC was unofficially running this screensaver.
      Today it would be an easy vehicle to use to upload malware.

  2. Reblogged this on adeybob's Blog and commented:
    We all know that a computer virus is a bit of code, designed to somehow compromise a computer system or network, so that damage can be inflicted, control exerted, or data stolen.
    Not enough people realise that a virus often acts like a living creature. They can eat, defecate, replicate and reproduce…what more do you want?
    Fewer people think about the implications of the existence of the computer virus, either
    The fact is, even if a computer virus does fulfil the main criterion for being considered alive, it has classically had little room to mutate when it undergoes replication..although that has always been part of the role of the malicious human programmer who has examined and ‘improved’ the little blighters for years.
    The worry now, quite apart from the threat of the actual spread of computer viruses, is that as they are becoming so complex they are getting greater chance to ‘successfully’ mutate during replication into something that does more than its original purpose of creation. Something like this is written in to many computer viruses to circumvent anti-virus recognition systems, and has been for some time (https://en.wikipedia.org/wiki/Metamorphic_code).
    Soon…everyone will be all-too aware of the term Frankenware (http://www.homelandsecuritynewswire.com/dr20120226-cybersecurity-firm-discovers-mutant-computer-viruses).
    I wonder how long it will take for ‘most people’ to realise that the world of internet banking, wireless hotspots, and computer-run nuclear-reactors, is something WE are all actually contributing to. We all now provide links and means to attack these systems, when our home PC’s are used in DDOS attacks (https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CDIQFjABahUKEwiWm_Gune3GAhXCWx4KHSKSB3Q&url=http%3A%2F%2Fthenextweb.com%2Fmedia%2F2010%2F12%2F19%2Fhow-ddos-attacks-became-the-frontline-tool-of-cyber-war%2F&ei=4cGuVdamA8K3eaKknqAH&usg=AFQjCNFDRcxyicATU7v9ZtUFXJy85p0W0A&sig2=bDMEikPdPMD-YHMluwcRqA&bvm=bv.98197061,d.ZGU)
    The internet of the world, is as it was in the wild wild west. One where anyone can have a gun, but most don’t know where to get one; one where one bullet can split and shoot thousands of people at once, often taking their online identity with it.
    But in this new world of malicious software, everyone can have a suit of armour…yet most forget a bullet can still be invited in.
    As Daedalus said, we are all now the new weapons of the internet, even as we are all now potentially the most vulnerable we have ever been since we started to urinate into porcelain.
    Get sharp, because we are all responsible for this vast creature we have almost-accidentally created, however it was created, and whoever is trying to run it.
    I think it will be less ‘the internet of things’, and more ‘the thing called the internet’.
    A

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s